[strongSwan] Problem on Vodafone in India

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Wed Sep 1 19:40:27 CEST 2021 

Hello John,

There must be more going on.
strongSwan configuration does not influence DNS resolution in any way.

Kind regards
Noel

Am 29.08.21 um 15:38 schrieb John Serink:
> Hello:
> 
> We are running the following on a Teltonika RUT-950 router:
> root at CORS144:~# ipsec --version
> Linux strongSwan U5.6.2/K3.18.44
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
> 
> I am not sure if this is a strongswan issue or not.
> IPv6 is disabled on the router:
> root at CORS144:/# cat /proc/sys/net/ipv6/conf/default/disable_ipv6
> 1
> root at CORS144:/# cat /proc/sys/net/ipv6/conf/all/disable_ipv6
> 1
> 
> We use 2 cell providers in India, Airtel and Vodafone. Airtel works as expected, no issues.
> Vodafone has a strange problem.
> 1. It can take upto 3 minutes for a connection to come up, so strongswan fails as the name
> lookup fails for our IPSec responder,
> 
> 2. When the connection finally does come up, from another ssh console I can ping our IPSec
> responder but watching the log, using logread -f, I see strongswan trying to connect to the
> IPSec responder using an IPV6 address.
> 
> Why is it doing that? We have disabled IPV6 but nslookup is returning an IPv4 and IPV6 address
> for the responder.
> 
> We never have this issue with airtel.
> But it gets more interesting:
> 3. If I setup the ipsec.conf (/etc/config/strongwan) as:
> 
> right       TheFullyQualifiedDomainName
> 
> and then I do this:
> 
> nslookup TheFullyQualifiedDomainName
> 
> I will get an IPv4 and IPv6 address and strongswan will use the IPv6 address.....there is no
> vpn setup on the IPv6 address of the destination responder.
> 4. If I setup ipsec.conf (/etc/config/strongswan) like this:
> 
> right       A.B.C.D
> 
> and then I do this:
> 
> nslookup TheFullyQualifiedDomainName
> 
> I will get only the IPv4 address A.B.C.D and strongswan will use this for the connection and
> it works.
> 
> But if we use airtel, it works either way.
> 
> Can anyone make sense of this?
> 
> So, my question is:
> Does this seem like a strongswan issue or an RUT-950 system issue?
> 
> We have a work around which is to use the IP address of the responder as item 4 which is a
> non-ideal solution if we change ISPs at the control centre....as then I'd have to manually go
> through 280 routers so I'd like to stay with the FQDN if possible.
> 
> Cheers,
> john
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20210901/ebe274fe/attachment.sig>

More information about the Users mailing list